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Abstract 

The security significance of the trace distance security criterion d is analyzed in terms of oper- 
ational probabilities of an attacker's success in identifying different subsets of the generated key, 
both during the key generation process and when the key is used in one-time pad data encryption 
under known-plaintext attacks. The difference between Eve's sequence error rate and bit error rate 
is brought out. It is shown with counter-examples that the strong security claim maintained in the 
literature is incorrect. Other than the whole key error rates that can be quantified at the levels d^^^ 
and d^/^ which are much worse than d itself, the attacker's success probabilities in estimating vari- 
ous subsets of the key and in known-plaintext attacks are yet to be quantified from d if possible. It 
is demonstrated in realistic numerical examples of concrete protocols that drastic breach of security 
cannot yet be ruled out. 
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I. INTRODUCTION 



In quantum key distribution (QKD) there have been many proofs offered on the "uncondi- 
tional security" of various protocols of the BB84 variety. For a recent review see if. Security 
is a serious matter which cannot be established experimentally in contrast to most problems 
in science and technology, if only because the possible different attacks are unlimited. A 
systematic examination of fundamental security analysis, as opposed to practical imperfec- 
tions, will be offered of which this paper constitutes the first and is concerned with security 
criteria, their empirical meanings and the quantitative levels needed for meaningful security. 
Without them the term "unconditional" or whatever security would be empty and in fact 
misleading. It will be shown that, in contrast to the prevalent claims in the literature, QKD 
security has not yet been properly quantified. 

Until 2004-2005 and often till recently, the security criterion adopted is the attacker Eve's 
quantum accessible information (lac) on the generated key K, which is the maximum mutual 
information Eve has on K from a measurement on her probe she may set on the quantum 
signals transmitted during the key generation process. Security of K during key generation 
before it is actually used is called "raw security"!^, to distinguish it from "composition 
security" when K is actually used in an application for which Eve may possess additional 
information related to K. In particular, when K is used for data encryption, part of K 
may be known to Eve in a known-plaintext attack (KPA) to help her get at the rest of 
K and thus the rest of the encrypted data. KPA can be simply represented when K is 
used in the one-time pad format, in which some bits among the ra-bit K are known to Eve. 
KPA security is necessary for security because that is the major weakness of conventional 
symmetric-key ciphers QKD purports to overcome. Indeed, there is otherwise no need for 



QKD since its achievable raw security is worse in a precise sense 2| than that of conventional 
ciphers in which the key is typically totally hidden by uniform random data. The security 
under discussion is information theoretic and symmetric key cipher, not RSA, is the proper 
comparison with QKD since a shared secret key is needed for both in an information theoretic 
context. 

It was claimed in 3] that an exponentially small (in n) lac would guarantee universal com- 
position security and that such is the case obtained in prior security proofs, while suggesting 
also a trace distance criterion, often denoted by "d" which we adopt, is a better criterion to 



work with. In ^ it was shown from quantum information 



ocking that mere exponentially 



smal, does not imply KPA security. The small lealc in « is enlarged to a "spectacular 

failure" of the lac criterion in [5,]. At present, d is the only basis of QKD unconditional 
security claim including the use of privacy amplification l|, Ig, |7 1 . 

However, the precise security claim associated with d has not been quantitatively spelled 
out while various paraphrases in words without mathematical expression are given for very 
strong security claims on behalf of d. In |i2|] the errors of some such interpretations are 
pointed out, but there are other possible interpretations that appear to support such claims 
which still persist. To settle this fundamental security issue, in the following we will exam- 
ine all such interpretations one may infer from the various wordings in the literature and 
give them precise mathematical expressions. They are found to be either incorrect or too 
weak to support the claimed security. Generally, Eve's optimal sequence error rate on K 
is only bounded by d^^^ and her bit error rate is bounded from | by d^^'^, while her error 
rates on subsets of K are not quantified. In the process, we also identify the empirically 
meaningful criteria of security that guarantee fundamental security. It will be demonstrated 
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that disastrous breach of security is not ruled out with practically achievable levels of d from 
concrete protocols, even though that is very unlikely with probability bounded by d under 
the prevalent incorrect interpretation. 

II. THE CRITERION d AND ITS INTERPRETATIONS 

During key generation Eve sets her probe and the protocol goes forward. After privacy 
amplification the final key K is generated with corresponding "prior probability" p{k) and 
probe state on each k. Let 

p = J2pik)\k){k\ (1) 
fc 

for N orthonormal |/c)'s in space Hk, N — T- . Let 

= (2) 
fc 

PK£; = ^p(^)|^)(^|^p| (3) 
fc 

The criterion d is defined to be 

d=\^\^ Pke- Pu® Pe\\\ (4) 
where pu is given by (1) with = U{}i) for the uniform random variable U . It can be 
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readily shown (similar to Lemma 2 in 



Q\) that 



^ = IY1 IIp(^)ps-^ps 111 



(5) 



A key K with ci < e is called "e-secure", as it has been forced by privacy amplification to be 
e-close to U. But what is the operational meaning of d < e? 

The major interpretation that has been given to d < e which has lent it a strong security 
interpretation has two slightly different versions, to be called (i) and (ii) in the following: 

(i) "The real and the ideal setting can be considered to be identical with probability at 



least 1-e." 



(ii) The parameter e can be understood as the "maximum failure probability" l|, |8|, |9|| of 
the real protocol, "where 'failure' means that 'something went wrong', e.g., that an 
adversary might have gained some information on K" 8|. 

In 2| the interpretation (i) is shown to be incorrect in that the real and the ideal setting 
are actually different with probability 1 from the given mathematical representation. We 
now give a precise mathematical representation of (ii), namely. Eve's real performance Vr 
(the bigger the better for her) in an attack of any kind can be better than that of Vi, the 
performance of the ideal uniform K case, by a probability no more than e, i.e.. 



Pr[P. >V^]<e 



(6) 



The probability in this case is obtained when Eve makes a measurement, as opposed to (i) 
which involves the setting before measurement. This intended probability interpretation 
of e is also utilized explicitly in [9|] to derive composition security under d. 



The justification for (ii) is tlie same as for (i), namely the interpretation of Lemma 1 in 
6| that the variational distance v{P,Q),0 < v < 1, between two distributions P and Q on 
the same sample space "can be interpreted as the probability that two random experiments 
described by P and Q, respectively, are different". This interpretation is derived from Lemma 
1 that asserts the existence of a joint distribution which gives marginals P and Q and for 
ts of the two random experiments differ with just probability v{P, Q). It was 



which the resu 

pointed out 2,1101 that there is no reason to expect there is such a joint distribution in force. 
However, the contrary belief is still widespread. 

Thus, two more reasons why this would not work are now given, to be followed by specific 
counter-examples. First, even if such joint distribution is in force it is not represented in 
the mathematical formulation, which just treats P and Q as independent. Furthermore, 
if it is introduced explicitly then whether the measurement result is close to that from U 
is irrelevant since Eve can learn about K through the joint distribution, i.e., the claimed 
conclusion still does not follow. In fact counter-example would result, classically or quantum 
mechanically, whenever knowing parts of K reveals the rest for certainty such as in the case 
of information locking. 

For an explicit simple example, consider a two-bit K with k = kik2 for two bits ki and 



/c2 with uniform a priori probability. Let \i) ,i G 1 — 4 be the four BB84 states on a qubit 
with (1 I 3) = (2 I 4) = 0. Let the states be 

=|1)|1), Pe° = |1)|3) 

(7) 

P^' = |l)|2), P^° = |l)|4) 

Thus, k2 is locked into the second qubit through ki and is unlocked by measuring on the 1-3 
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or 2-4 basis given the knowledge of ki. The protocol then fails for sure but d is not given by 
1, which never happens in any protocol since that requires and p^; to be orthogonal. 
To give a raw security example with large "failure probability", consider the distribution 



upon a measurement result with Pj = for i G 1 — ^ Pj = for iG (^ + 1)— ^so 
that v{P, U) = e. Then Eve gains "information" compared to the ideal case with probability 
|, not e. What happens, of course, is that no "joint distribution" other than the product one 
is included in the mathematical formulation, and conceptually e is not an event probability 
though it may be the difference of two event probabilities. Although the information gained in 
this counter-example is small, it clearly shows that variational distance is not the probability 
that information is leaked. 

There is another interpretation: 

(iii) "Distinguishability advantage" between the real and the ideal protocols is bounded by 
e PI. 

The distinguishability advantage that is referred to here is the trace distance (4) between the 



ll| the optimum probability 



"real" and the "ideal" situations. From binary quantum decision 
of success is 

Pc = ^ + WPoPo - PiPiWi (8) 

for two states po ^^d pi with a priori probability po,pi = 1 — Po- Clearly, Eve does not make 
such binary decision if only because Hk is not accessible to her. Indeed if it is, she can just 
measure on it to identify K. The entanglement form (4) is misleading even in the classical 
limit, and the form (5) on Eve's probe alone is appropriate for interpretation. 

Equ (5) shows that each unnormalized trace distance is bounded by e and thus the trace 
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distance between two different is bounded by 4e from the triangular inequality, 



\\p{k)p%-p{k')p% ||i<46 (9) 

Since p{k) is the distribution of K after privacy amplification, it is generally nonuniform with 
correlation between bits. It is not possible to draw the conclusion from (8)-(9) that k and k' 
cannot be distinguished with probability better than Pc = | + 2e even after renormalization 
of p{k) and p{k'). Also it is only possible to conclude from (5) that 



p{k)p'k-^PE\\i<2e (10) 



and not the "distinguishability advantage" interpretation || p'^ — pE ||i< 2e. This is so even 
after the application of Markov Inequality to obtain an individual guarantee at a level e' > e. 

Interpretation (iii) is not relevant, certainly not sufficient, for general security which 
involves M-ary decisions by Eve for M = 2 to M = 2". Note that even classically, the 
M-ary performance could only improve for Eve with decreasing M, on the absolute level 
at least. A level e may appear adequate for bit decision compared to |, but is in fact very 
inadequate for M-ary decision as compared to In the information security literature 
a "semantic security" binary decision condition similar to (7) has been obtained for the 



"bounded storage model" |12| for "message" security, with K and any K G K being possible 
messages for comparison with QKD. Such condition is not strong enough for just raw security 
as just indicated, apart from KPA security. However, in |l2| the security guarantee is much 
stronger than (9) from d because it is valid for every pair of k and k' as well as any k and 
k', while no Markov Inequality is needed for its application. Most significantly, the security 
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is controlled by a security parameter that can make the quantitative level arbitrarily small. 
There is no such security parameter in QKD. Thus, d < e does not offer the equivalent of 
such "semantic security" in QKD. 

Composition security of the "expansion" kind under d follows from the the fact that 



Pi — o'i II i< ej, -j G 1 — m, implies 



Pi ® ■■■ ® Pm - O"! ® ••■ ® (Jm ||i< (11^ 



In contrast to the case of interpretation (i) or (ii), this (11) does not guarantee KPA security 



which is a "contraction", 
or (5), which is overcome 



''urthermore, there are problems in adopting (11) to the form (4) 
9| by the incorrect interpretation (ii). 
We have gone through all the security significance of d that can be drawn from the 
literature, correct and incorrect ones. We will next derive valid operational guarantee from 
the security condition d < e. 

III. SEQUENCE ERROR PROBABILITY GUARANTEE FROM d 

Theoretical quantities such as lac and d have no direct operational or empirical meaning 



in information theory already 13|. They surely do not in cryptography, and the translation 
of d into operational probability guarantee is a central issue in the foundation of information- 
theoretic cryptography. A generalization of interpretation (iii) is 

Vr<Vi + e'(e) (12) 
where e' is some function of e for d < e. Note that although (6) is a stronger security claim 
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than (12), it does not imply it became (12) holds with certainty. Under (12), empirical 
meanings of d are obtained when the performance VrS are Eve's success probabilities of 
various kinds. Generally the probabilities we are concerned with are Eve's optimal proba- 
bilities pi {K) of successfully estimating K, which is any possible subset of K including K 
itself, during key generation and in a KPA when K is used. We may want to bound such 
probabilities to some acceptable level e{K) which, ideally, should be close to 2~l^l where \K\ 
is the bit length of K, 

p,{k) < e{K) (13) 

When K consists of m bits, m < n, the problems involved are M-ary decisions, M — 2"*, 
classically or quantum mechanically. Eve is going to utilize all her side information and 
measures on her probe to best estimate K. The usual optimal detection theory [11,14] 
concerns the i^-averaged optimal probability only. 

Such averaged performance seems hard to avoid and we would need Markov Inequality 
(MAI) for a random variable X to convert it to an individual guarantee [15], 



Pr[\X\ >8]<^ (14) 



For the application at hand, MAI needs to be used twice to get e' from e, from averages over 
privacy amplification codes and either measurement result y or individual k. Such individual 
guarantee is needed to rule out with a high probability any disastrous breach of security. 
It is evident that the trace distance or variational distance corresponding to a small p{k) 
or p{y) can be large for any given d level. (In contrast, under interpretation (i) or (ii) one 
only needs MAI once for privacy amplification.) Since typically e S> one can treat e as 
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a probability and minimizes the total failure probability, the probability that the specified 
security level is not guaranteed. This is important especially in crypto security because one 
needs to take the users' worst care performance to guarantee a minimum security level. 

Thus, given = e one can guarantee from (14) the level |X| < a with a probability 

> 1 — e/cr. This gives the failure probability (failure to guarantee |X| < cr) of probability 
< e/o". The "<" or "<" is not significant here because the bounds may be approached 
arbitrarily closely. When a itself is a similar failure probability the total failure probability 
Pf, assuming independence of the two failure events, satisfies Pf < 1 — {1 — a){l — e/a) = 
a + e/a — e. The best guarantee is these obtained at cr = e^/^ with resulting Pf ~ 2e^/^ for 
e ^ 1. Similarly, if there are two random parameters so that MAI needs to be sued twice, 
the total failure probability is minimized at cxi = (T2 = e^^^ with resulting Pf ~ 3e^/^. 

When ^Ey e makes a measurement on her probe with result Y, from Bayes rule d < e 
becomes [16] 



In lieu of applying MAI to i^-average, one may apply it to the F-average form (15). The first 
major problem in raw security is the optimal probability that Eve can estimate the whole K 
correctly. This problem is more than the guarantee from a single distribution which would 
be offered by a single variational distance. It is readily shown[16] through bounding on each 
measured result y in (15) that the K-averaged optimum error probability pi{k) is bounded 
as in (12), 




(15) 



y 



(16) 



with e'(e) 



3e^/^ for two uses of MAI. 
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Similarly, Eve's optimal subset K probabilities averaged over K, pi{K), are to be deter- 
mined from 2l^l-ary optimum quantum decision. For some e'(e), one needs to show from 
d < e 

pi(ir)< 2-1^1 +e'(e) (17) 
For KPA, one needs to show for possibly another e'(e), 



Pi 



{K2\Ki = ki) < 2-1^^1 +e'(e) 



when a portion Ki of K is known to be ki and a subset K2 of the rest K2 is to be estimated. 
It appears difficult if not impossible to obtain (17)-(18) in general [16], with or without the 
use of MAI. This is not surprising, since some K may be poorly protected under just a 
condition c? < e on the overall K. The average performance overt the rest of K is hard to 
quantify with or without MAI, especially for a KPA. (The proper subset probabilities given 



m 



10] are not Eve's optimal.) Thus, Eve's sequence success probabilities on K C K in 
both raw and KPA security are not quantified (yet at least) under the security condition 
d < e. Of course, (17)-(18) follow with a high probability under interpretation (i) or (ii). 

Note that a quantitative statement together with a general proof is lacking on what 
security guarantee is obtained from d against information locking leaks. 



IV. BIT ERROR RATE GUARANTEE FROM d 

It is possible that in a wrong sequence decision on K for any K < K , Eve may nevertheless 
get more than half of the bits in K correctly even if the "a priori" p{k) as derived from 
p{k) is uniform. This is the bit error rate (BER) vs sequence error probability issue in 
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communications. Thus, in addition to the sequence error probabihty Eve's typically better 
BER needs to be bounded also from d < e. Eve's BER, to be denoted by pb , is clearly one 
fundamental operational criterion when K is used in one-time pad format. The sequence 
error probability (rate) is needed if K is used as the seed key of a conventional cipher, 
which however has no KPA security independently of Eve's quantum probe. Note that pi, is 
different from a single-bit K success probability and is not known to be determined by d. 
Under interpretation (i) or (ii), Pb — ^ the ideal value with probability > 1 — e. 

The only known general low error bound on pi, is Fano Inequality which can be applied to 
both sequence error rate [15] and BER [17]. For d < e its use for sequence error rate yields 
a bound less good than (16) for typical parameters [16]. The BER is defined to be the per 
bit error probability 



where Pe{i) is the probability that the ith bit in K is incorrectly obtained from Eve's estimate 
of K. Fano Inequality gives in this case 



where 'H(-) is the binary entropy function, H{K) the entropy of K from p{k). We can bound 
H{K) in bits from d < e using [15, theorem 17.3.3] 




(19) 



i=l 



nn{pb) > H{K) - I 



ac 



(20) 



H{K) >n-e{n + log -) ~ n(l - e) 



(21) 
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In (21) the term log ^ is usually small compared with n while lac is typically <^ 1 and can 
be neglected in (20). Thus (20)-(21) yields, for = 1 - e' and small e', e' < (e/41oge)^/^. 
Since MAI needs to be used twice before this e' is applied, it is similar to the case of using 
it three times and the final e' is therefore 



e' < eVSv^loge (22) 

As expected, the BER guarantee (22) in the form (12) is worse than that of the corresponding 
sequence error. 

Similar to the case of sequence error rate, it does not appear there is any readily derived 
Pb{K) from (20) for raw and KPA security if Eve attacks proper subsets K G K via optimal 
2l^l-ary quantum detection. From her specific attack and knowledge of the error correction 
and privacy amplification codes. Eve can estimate p{k) and attack K from such "a priori" 
information apart from her probe measurement. As also in the case of her sequence error 
probability, the best subset performance can be very good for her and it is difficult to bound 
her average subset performance. 

V. QUANTITATIVE GUARANTEE FROM d 

There has been the persistent "intuition" that a criterion should be fine if the level is 
brought down to a sufficiently small level, assuming the value zero in the ideal case. That 
seems to be true, but the whole question is how small is sufficiently small. It is a quantitative 
issue relative to the situation at hand. Even lac gives security if it is smaller than 2~" for an 



n-bit K [16 



, which also follows from the 0(logn/e) bits of K needed in a KPA [5] for large 



leak of deterministic bits. 
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Equality in (16) may be achieved [10]. Since e' gives the probabihty level that the entire 
K can be found by Eve in raw security, it must be very small even if not close to 2~". Similar 



Pi ~ e' is obtained for lac/n < e llO|. In this regard, the necessity of using Markov Inequality 
for individual guarantee to eliminate disastrous security breach causes great difficulty in 
practice, from (22) and e' = e3 in (16). The problem then is that it is very hard to get a low 
enough level of d or lac in practice. 

It is rare to find an experimental QKD system with quantified security, but the one in [18] 
gives lac ~ 2^^^ for n ~ 4000. Similar to (16), after two applications of MAI, the pi level of 
2^^^ becomes ~ 2^^, a drop over four orders of magnitude. For the six-state BB84 protocol 



theoretically analyzed recently 19] with d < e = 10~^ (and key rate 0.01 bps), pi from (16) 
becomes 10~^, a drop of six orders of magnitude from fairly secure to not at all secure. For 
BER, e' ~ 2~^ and thus on average one more bit out of 500 bits of K may turn out correct to 
Eve in addition to half of K. This can be compared to the binomial fiuctuation level of one 
in 10^ — 10^ bits for the n in [19]. For the system of [18] it is possible to bound d via pi [16] 
and e' in (22) may get up to 25%, though for such large value the approximation of ^{pb) 
leading to (21) may not be accurate. However, it is clear that drastic breach of security is 
not adequately ruled out with the above numerical values. No subset K or KPA probabilities 
of the form (17)-(18) can be numerically estimated, since it is not known whether they hold 
for what e'(e). 

VI. CONCLUSION 

We have shown that the QKD strong security claim (i) or (ii) fails to obtain under the 
security guarantee d < e while (iii) does not address the operational security levels. We 
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provide operational security meaning to d via bounds on Eve's sequence error probability 
and bit error rate when she attacks the whole key K, the guaranteed levels are far worse 
than d itself and no result can yet be obtained on her optimal attacks on subsets of K or on 
her known-plaintext attacks. This also causes fundamental problem on the final key rate, 
because better general security cannot be obtained by further privacy amplification without 
settling these security criteria issues first. 

Similar to lac the criterion d gives some measure of security to a QKD protocol . How- 
ever, it does not rule out huge leakage with appreciable probability, especially when the 
achievable level is inadequate for the necessary individual guarantee which seems to be the 
case in current as well as future practice. Indeed, even the formulation of an operationally 
meaningful security criterion for known-plaintext attacks does not yet exist. In a future 
paper, we will show the actual security level cannot even be quantified due to other factors 
not properly taken into account in the security analysis thus far. It appears that either 
QKD should be treated like any other existing cryptosystem with unknown fundamental se- 
curity, or new approaches and especially new protocols need to be developed for fundamental 
security guarantee. 
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